diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..1312ffa
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,126 @@
+name: CI
+
+defaults:
+  run:
+    shell: pwsh
+
+on:
+  push:
+    branches: [ main ]
+
+  pull_request:
+    branches: [ main ]
+
+  release:
+    types: [ published ]
+
+jobs:
+  Build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: .NET Build
+        run: dotnet publish --configuration Release
+
+      - name: Create module
+        run: |
+          New-Item module -ItemType Directory
+          $settings = Import-PowerShellDataFile ./BuildSettings.psd1
+          Copy-Item @settings
+
+      - name: Upload module
+        uses: actions/upload-artifact@v4
+        with:
+          name: module
+          path: ./module/
+
+  Test:
+    needs: Build
+    runs-on: windows-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Download module
+        uses: actions/download-artifact@v4
+        with:
+          name: module
+          path: C:\Users\runneradmin\Documents\PowerShell\Modules\AnyPackage.NuGet\
+
+      - name: Install AnyPackage module
+        run: Install-Module AnyPackage -Force -AllowClobber
+
+      - name: Test with Pester
+        run: |
+          $ht = Import-PowerShellDataFile PesterSettings.psd1
+          $config = New-PesterConfiguration $ht
+          Invoke-Pester -Configuration $config
+
+  Sign:
+    needs: Test
+    if: github.event_name == 'release' && github.event.action == 'published'
+    runs-on: windows-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Download module
+        uses: actions/download-artifact@v4
+        with:
+          name: module
+          path: module
+
+      - name: Import certificate
+        env:
+          CERTIFICATE_BASE64: ${{ secrets.CERTIFICATE_BASE64 }}
+          CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
+          CERTIFICATE_PASSWORD_KEY_BASE64: ${{ secrets.CERTIFICATE_PASSWORD_KEY_BASE64 }}
+        run: |
+          [convert]::FromBase64String($env:CERTIFICATE_BASE64) | Set-Content -Path cert.pfx -AsByteStream
+          $key = [convert]::FromBase64String($env:CERTIFICATE_PASSWORD_KEY_BASE64)
+          $password = ConvertTo-SecureString $env:CERTIFICATE_PASSWORD -Key $key
+          Import-PfxCertificate cert.pfx -Password $password -CertStoreLocation Cert:\CurrentUser\My
+
+      - name: Sign files
+        run: |
+          $config = Import-PowerShellDataFile SignSettings.psd1
+          $config['Certificate'] = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert
+          Set-Location .\module
+          Set-AuthenticodeSignature @config
+
+      - name: Create and sign catalog file
+        run: |
+          $config = Import-PowerShellDataFile SignSettings.psd1
+          $config['FilePath'] = 'AnyPackage.NuGet.cat'
+          $config['Certificate'] = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert
+          Set-Location .\module
+          New-FileCatalog $config['FilePath'] -CatalogVersion 2
+          Set-AuthenticodeSignature @config
+
+      - name: Upload module
+        uses: actions/upload-artifact@v4
+        with:
+          name: module-signed
+          path: ./module/
+
+  Publish:
+    needs: Sign
+    if: github.event_name == 'release' && github.event.action == 'published'
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Download module
+        uses: actions/download-artifact@v4
+        with:
+          name: module-signed
+          path: '~/.local/share/powershell/Modules/AnyPackage.NuGet'
+
+      - name: Install AnyPackage module
+        run: Install-Module AnyPackage -Force -AllowClobber
+
+      - name: Publish Module
+        env:
+          NUGET_KEY: ${{ secrets.NUGET_KEY }}
+        run: Publish-Module -Name AnyPackage.NuGet -NuGetApiKey $env:NUGET_KEY
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..704cd8d
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,40 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '32 19 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'csharp' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Auto build
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/BuildSettings.psd1 b/BuildSettings.psd1
index 4a44851..059e91c 100644
--- a/BuildSettings.psd1
+++ b/BuildSettings.psd1
@@ -1,7 +1,11 @@
 @{
     Path = @(
-        './src/code/bin/Release/netstandard2.0/NuGetProvider.dll',
+        './src/code/bin/Release/netstandard2.0/publish/*'
         './src/AnyPackage.NuGet.psd1'
     )
     Destination = './module'
+    Exclude = @(
+        'NuGetProvider.deps.json',
+        '*.pdb'
+    )
 }